Skip to main content

Identify Compliance Trends

Learning Objectives

After completing this unit, you’ll be able to:

  • Identify major trends impacting cybersecurity compliance and regulation.
  • Describe how organizations face these trends.

Trends in cybersecurity compliance and regulation are affecting organizations everywhere. Today’s regulatory environment is more challenging than ever. To get a better understanding of what this ever-changing landscape looks like for organizations, let’s explore some top trends and challenges reshaping regulatory compliance for cybersecurity.

Cybersecurity Compliance Is Not Just an Information Technology Issue

Many fear cybersecurity compliance as an amorphous issue that only the information technology (IT) department handles. The reality is that the financial, legal, and reputational ramifications that arise from a data breach affect the entire organization. 

For example, in the pharmaceutical industry, a breach into drug manufacturing systems could lead to a wide range of disruptions, including production downtime. Or it may result in ineffective or harmful drugs, spillage of hazardous materials, and more. In addition, cybersecurity breaches also impact consumers. 

If you’ve ever had a service provider contact you to report that your account has been compromised, you’ve probably thought twice about trusting that company and continuing to use their services.

An attacker with a phishing rod stealing sensitive customer information out a laptop: an email, a piggy bank, and a credit card

The potential negative impacts of a cybersecurity breach across your organization is vast. It’s essential that organizations create a comprehensive security-centric culture with a focus on complying with cybersecurity regulations. Risk and compliance teams have an important role to play in driving awareness and educating everyone about the impact of attacks. Executives play a critical role in shifting organizational mindsets from awareness to action, committing to ongoing assessments and monitoring, remediations, and management of cybersecurity compliance risks. 

The Challenge of Regulations

If standards, regulations, or rules are too burdensome, organizations and their employees may engage in insecure workarounds to meet business needs. It’s important to communicate to staff how to attain security without compromising business goals.

What’s more, as mandatory cybersecurity regulations become more burdensome, organizations are forced to give these priority in terms of time and cost to implement, which hampers other initiatives and improvements for the sake of compliance. These regulations often come with extensive reporting requirements to regulatory and lawmaking bodies, which takes the focus off secure operations. It’s just as important that regulators and organizational leaders verify that security controls are effective and that compliance requirements elevate security.

Compliance can also serve as a barrier for small companies that may not be equipped to handle all the security requirements imposed by regulators when trying to bring a new technology or service to market. It’s important that lawmakers carefully consider the benefits of any new regulation, and strive to ensure that they balance security with companies’ ability to innovate.

Keeping Pace with Change

As guidance and regulations evolve quickly, organizations may not have the resources to keep up with changes year over year. Cybersecurity is a fast-moving sector, as both attackers and security providers vie to outsmart each other.

New threats—and innovative ways to combat them—emerge all the time. Unfortunately, an attacker only needs to find one vulnerability to exploit, while security professionals have to work to mitigate all of them. This puts security professionals at a disadvantage. It requires them to manage risks in a way that takes into account and prioritizes the threats and potential adverse impacts. The following sections cover ways to prioritize the most critical vulnerabilities while also streamlining compliance efforts.

Emerging technologies also present regulatory challenges, with revised frameworks quickly becoming obsolete as new technologies come on the scene and overlapping regulations are designed across industries.

Organizations need the flexibility to mitigate risks from new technologies without committing time and resources on outdated compliance requirements that may not be the best fit in the current technology landscape. For example, as systems and services move to the cloud, past regulations are becoming inadequate as system boundaries become obsolete. This is especially true due to the new normal of hybrid work that has taken shape due to the COVID-19 pandemic, which carries new challenges to organizations in managing the risks that remote users present.

Automating Compliance

Gone are the days where organizations used a spreadsheet to document their controls and then had to copy, paste, and repeat against other regulations. Today, organizations use automation to document once, and then comply against many different standards. They use automated tools to collect evidence—such as vulnerability scan results and analysis, log correlation, and more—to assess their security posture, add workflow to task out items such as patching, and report to senior executives.

Automation helps streamline compliance especially with software engineers using compliance as code where they design their system and products to automatically meet control objectives. One example of automating compliance is the National Institute of Standards and Technology’s (NIST’s) Open Security Controls Assessment Language (OSCAL).

Cybersecurity Compliance Requires the Right People

The recruitment, retention, and training of the right security personnel to help meet compliance requirements is key. Ideally a combination of compliance analysts, security operations specialists, and software engineers make up these teams. Because the burden of regulatory compliance on organizations can be huge, organizations need to create focused cybersecurity teams that work in tandem with their internal risk teams. Organizations must hire more staff who are well-trained on the security aspects related to their industry.

Outsourcing Compliance

With the economic effects of the COVID-19 pandemic still in full force, organizations are looking to contain costs by working with third-party vendors and partners on an ongoing basis.

One area organizations may look to outsource is compliance. This may be especially true to help perform gap assessments and meet reporting requirements, particularly if a company is small, doesn’t have the right staff in house, or needs a small increase in effort for a short time to meet a new regulation or answer a point-in-time audit. As outsourcing compliance becomes more prevalent, frameworks and vendor assessments will also need to raise the bar for third-party vetting to ensure a degradation in security doesn’t occur.

Sum It Up

In this unit, you’ve been introduced to the major trends impacting cybersecurity compliance and regulation. Let’s delve into some solutions to these regulatory challenges.

Resources

Share your Trailhead feedback over on Salesforce Help.

We'd love to hear about your experience with Trailhead - you can now access the new feedback form anytime from the Salesforce Help site.

Learn More Continue to Share Feedback